Stylish vs Stylus Browser Extensions

Note: these are some old comments about the Stylish browser extension. The Stylish extension went bad, but there is a fork called Stylus that is good. The comments below are just preserved in case anyone finds them in Google while looking for information about the difference.

tl;dr use Stylus


The old Stylish extension was great, but as I was configuring it for more sites, I realized that it had to be sending my browsing history to a remote server, because it knew what styles to suggest for each site. I searched for a privacy policy and found some posts about the company’s being sold to some kind of marketing company.

https://www.ghacks.net/2017/01/04/major-stylish-add-on-changes-in-regards-to-privacy/

Someone analyzed the extension in the comments and it looks shady:

Sounds like “tracking browsing history” in so much words. I installed Stylish (v 1.6.3) from the Chrome store to investigate. I did not install any user styles. I went to the front page of Hacker News, and the Network tab in the dev tools of Stylish showed a POST to “https ://api.userstyles.org/tic/stats” (I added a space in URL to prevent URL parsing). I randomly clicked on a link on the page and another POST was made to “api .userstyles.org”. I manually entered the URL of the page here in a new tab and another POST was made to “api .userstyles.org”.

I then looked at the data sent in the POST. It is a two-pass base64 encoded data, and the data sent is as follow:

vmt=1.6.3
lav=21
wv=1
gr=chrome
di=541
pxe=[a unique identifier reused for each page visited]
knl=https%3A%2F%2Fnews.ycombinator.com%2F
gp=http%3A%2F%2Fmattwarren.org%2F2016%2F12%2F12%2FResearch-papers-in-the-.NET-source%2F
ver=https%3A%2F%2Fnews.ycombinator.com%2F
st=1483716982098
ch=9

Notice the unique id (pxe) and the browsing data, i.e. the URLs navigated to (gp) and from (ver).

So yes, Stylish can now build a profile of your browsing history. The two-pass encoded base64 is something I have seen elsewhere in other such extensions with tracking ability, for example with Web of Trust and Popup Blocker. There is no other purpose than a silly attempt at obfuscating what it is doing. Any rationale to explain this attempt at obfuscation will be pure BS (there is no valid reason AT ALL to encode twice base64 — so the only explanation left is “let’s not make it too obvious what we are sending”).

When I un-checked the option “Send anonymous data to Stylish developers for determining user counts”, the extension ceased to send the browsing history.

It must be noted that the information sent is by no mean anonymous, because of the unique user id in each POSTed request, and on top of this by sending data to “api .userstyles.org” server, the server will be able to match your IP with the data sent (your browsing history). But regardless, even if using a VPN, the POSTed data still identify you through the unique id (very bad — defeats the purpose of using a VPN as a mean to enhance anonymity).

The manifest shows that the extension contains hook for Google Analytics (this fulfills the “user counts” explanation). However I see a “object-src ‘self’” content security policy, and I question this: this gives the extensions the ability to embed plugins in its own code[1], though through a quick glance I can’t see any file as of now in the extension itself which could be loaded as a plugin.

> This information powers some of the extension’s functionality such as the ability to reveal styles to users when they visit sites in the browser

So things to keep in mind if you are eager to believe the above explanation from Stylish representative:
– the attempt at obfuscation (no valid reasons whatsoever).
– the unique id “appUniqueId” (no valid reasons whatsoever).
– the full URL visited (could be just the hostname and only on 1st visit + possibly a user-initiated update manifest in case new user styles become available for a specific site already visited.)
– the full referrer URL (no valid reasons whatsoever).

All these are not necessary for the official stated goal — and of course the worst is that the claim that the data is anonymous is false. If the will to not collect browsing history was really genuine, the extension would have been written in a very different way to accomplish the stated goal.

My advice is if you really need that extension, disable the option to send supposedly anonymous data — so far, as of writing, it seems it does what it says. Unfortunately as is too often the case, the default is not pro-user i.e. not opt-in so a lot of people will end up having their browsing history collated (even if using a VPN).

It looks like that spyware company (SimilarWeb) has a lot of extensions. The extension also claims to be GPL3, but when I tried to find the source code for the latest releases, it isn’t available.

If anyone knows of an alternative, let me know. :slight_smile:

I found a fork of Stylish called Stylus that appears to not contain malware.